Babylon Health has acknowledged that its GP video appointment app has suffered a data breach. The firm was alerted to the problem after one of its users discovered he had been given access to dozens of video recordings of other patients’ consultations. A follow-up check by Babylon revealed a small number of further UK users could also see others’ sessions. The firm said it had since fixed the issue and notified regulators. Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video call and, when appropriate, sends an electronic prescription to a nearby pharmacy. It has more than 2.3 million registered users in the UK.
Chatbots, just like websites, are a target for hackers that can be used to penetrate corporate systems and gain access to sensitive payment and personal information. AI and chatbots are often a more direct access point to corporate resources than webpages. As companies add more points of communication access, those become more points for hackers to leverage. Companies need to consider all communication and payment endpoints as potentially vulnerable to a cyber-attack, and protect those endpoints accordingly.
Anyone who develops an app that handles sensitive customer data should ask themselves two important questions – is it secure and is it really necessary? We’re seeing that breaches such as these are all too common and anyone looking to save time and money by moving to a digital system should take risks such as these into consideration.
Companies who hold private information should also ensure they have clearly defined security policies and procedures to avoid the leak of information. This starts with employee education, which underscores all effective cybersecurity and data protection strategies and comprehensive best practice guides are critical to protecting information, especially when holding sensitive data on customers.
This is especially important in the healthcare industry which is at particular risk of cyber-attacks and data breaches, as information such as health records is very valuable to criminals. It will always command high prices on the darkweb as it can be used for criminal activities such as fraud, extortion and in the drug trade.
All organisations are under pressure to make sure data is kept secure, none more so than those operating in the healthcare sector. Companies like Babylon Health are responsible for managing and securing highly sensitive data. Often the focus is on creating a secure environment that defends against would-be cyber attackers, as criminals see the sensitive data held as a potential treasure trove. But organisations must also ensure that the data it collates is managed correctly and access to it is strictly controlled. Failure to manage this access correctly leads to highly sensitive data breaches that could be, and should be, avoided.
It’s extremely alarming to hear that a user of the Babylon Health app has been able to access dozens of confidential video recordings of other patients\’ consultations. With more than 2.3 million registered users in the UK, we are concerned that many more may have been affected with extremely private information leaked.
We urge others to follow this lead and come forward, as we know from experience in helping others just how bad this kind of data breach can be. Those affected could be eligible to receive significant compensation for Babylon Health’s negligence which could result in potentially damaging emotional harm for patients.
With doctors difficult to access due to coronavirus restrictions, many are relying on technological solutions like Babylon Health. Data breaches like this show that there is still much more that needs to be done to ensure we can trust in the use of such technology. Healthcare organisations can be particularly vulnerable to data breaches due to the wealth of highly sensitive information they hold, and firms operating in this sector must go the extra mile to ensure data is protected, or face the consequences.
While the risk was limited, it is a scary thought that sensitive patient data via video consultations could be accidently disclosed. This is a reminder of how important the principle of least privilege is along with strong access controls that reduce accidental data disclosures.
This has become an all too common occurrence, as highlighted in the recent 2020 Verizon Data Breach Investigations Report which revealed that human error and misconfigurations are on the rise and contributing to many data breaches.